Malicious Edge extension abuses Native Messaging as bridge to malware
Summary
A malicious Microsoft Edge extension named 'Edgecution' has been discovered to exploit the Native Messaging feature to bypass browser sandboxing and deploy a Python backdoor. This backdoor was subsequently used to facilitate a ransomware attack, indicating a sophisticated multi-stage threat.
IFF Assessment
FOE
This article details a new attack vector and malicious tool that can be used to compromise systems and deploy ransomware, posing a direct threat to defenders.
Defender Context
Defenders should be aware of extensions that abuse Native Messaging, as this technique allows malware to escape browser sandboxing. Monitoring for unusual extension behavior and network connections originating from browser processes can help detect such threats.